A couple of days ago Synopsys announced that they were acquiring Quotium’s product Seeker. This is an interactive application security testing (IAST) product. Synopsys are acquiring the product and the R&D team, not the whole of Quotium. The Seeker solution is a pioneering solution for IAST that helps businesses find high-risk security weaknesses while fostering collaboration between development and security teams. The Seeker solution exposes vulnerable code and ties it directly to business impact and exploitation scenarios, providing a clear explanation of risks.
It is just over a year since Synopsys first moved into the software quality and security space with their acquisition of Coverity. They recently renamed this group in Synopsys to be the software integrity group.
Subsequently they acquired Codenomicon, a Finnish company well-known and highly respected in the global software security world with a focus on software embedded in chips and devices. They are also famous for having independently discovered the infamous Heartbleed bug last year while improving a feature in their tools.
At one level you can argue that Synopsys’ EDA product line has very little to do with software security and quality. Even though some companies show up as customers for both product lines, typically the teams designing SoCs and the teams creating the software to run on them are separate. Not just separate engineers, but separate purchasing arrangements, separate environments, separate budgets. There are also lots of companies (think banks, for example) who create a lot of software but don’t do chip design at all.
Software quality and security is a growing market since software is getting into more and more life-critical and security-critical areas. If your smartphone crashes it is annoying. If your ABS braking system crashes then maybe you do too. And if your heart pacemaker crashes then no good will come of it.
On the security side you have to have been living under a log for the last couple of years not to realize how important security is. It is clear that security requires a multi-layered approach involving both hardware and software so those separate groups are perhaps not so separate. It still seems to be hard to get companies to invest heavily in security but the stakes are very high. Target’s well-known security breach cost it hundreds of millions of dollars. The penetration actually happened through an air-conditioning system, not the first place that springs to mind.
I think the really big possibility for Synopsys is not just that these are attractive fast-growing markets. I think that there is a real possibility of using some of the techniques that we use for semiconductor design to strengthen software design. Semiconductor design is very different from software of course, we don’t get to run more than one or two versions of a design through a fab/foundry since it costs millions of dollars to do so. But if you look at it from a risk point of view they are not so different. An undetected error in either case can have a huge business impact, much greater than the cost of doing the design in the first place.
Two areas that seem to offer a lot of synergy are:
There is no solid guarantee that these synergies will prove to be enough to drive Synopsys’ software integrity business to a much higher level than would happen if it was run completely independently. But as the cost of getting things wrong goes up, then the value of being as sure as possible that all problems have been found goes up too. The investment that companies will be prepared to make to ensure software integrity will go up too.